Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-8xv7-89vj-q48c

GitHub Security Advisory

Information disclosure in AccessControl

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact
Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown `getattr` and `getitem`, not the policy restricted `AccessControl` variants `_getattr_` and `_getitem_`. This can lead to critical information disclosure.

`AccessControl` already provides a safe variant for `str.format` and denies access to `string.Formatter`. However, `str.format_map` is still unsafe.

Affected are all users who allow untrusted users to create `AccessControl` controlled Python code and execute it.

### Patches
A fix will be introduced in the versions 4.4, 5.8 and 6.2.

### Workarounds
There are no workarounds.

### References
https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-xjw2-6jm9-rf67 describes the corresponding problem for `RestrictedPython`.

Affected Packages

PyPI AccessControl
Affected versions: 0 (fixed in 4.4)
PyPI Zope
Affected versions: 0 (fixed in 4.8.9)
PyPI AccessControl
Affected versions: 5.0 (fixed in 5.8)
PyPI AccessControl
Affected versions: 6.0 (fixed in 6.2)
PyPI Zope
Affected versions: 5.0.0 (fixed in 5.8.4)

Related CVEs

CVE-2023-41050

Key Information

GHSA ID
GHSA-8xv7-89vj-q48c
Published
September 7, 2023 12:56 PM
Last Modified
September 7, 2023 12:56 PM
CVSS Score
5.0 /10
Primary Ecosystem
PyPI
Primary Package
AccessControl
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 13, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.